[pfx] Re: postfix/postmap TLS To MariaDB/MySQL Backend

Tue, 29 Aug 2023 08:39:07 -0700 

On Tue, Aug 29, 2023 at 06:42:46PM +1000, Matthew J Black via Postfix-users 
wrote:

> ~~~
> postmap: warning: connect to mysql server sql.my_example.com: Access denied
> for user 'mail-user'@'192.168.1.101' (using password: YES)
> postmap: fatal: table mysql:/etc/postfix/sql_vdomains.cf: query error:
> Resource temporarily unavailable
> ~~~
> 
> As I said, the only change being made is turning on TLS on the DB Server ie
> in /etc/my.cnf.d/my_settings.cnf add the settings:
> ~~~
> require_secure_transport=ON
> ssl-ca=/my/cert/path/ca_bundle.pem
> ssl-cert=/my/cert/path/sql.my_example.com_rsa.crt
> ssl-key=/my/cert/path/sql.my_example.com_rsa.key
> ~~~

The docs are at:

    https://mariadb.com/kb/en/securing-connections-for-client-and-server/

Are the configuration changes you quote server-specific, or are they
also in scope for client connections (i.e. the client also ends up with
a TLS key and cert)?  See spefically:

    
https://mariadb.com/kb/en/securing-connections-for-client-and-server/#enabling-two-way-tls-for-mariadb-clients

where they mention:

    Two-way SSL is required for an account if the REQUIRE X509, REQUIRE
    SUBJECT, and/or REQUIRE ISSUER clauses are specified for the
    account.

Depending on how things are configured, presenting client certs might be
required, or could be the source of the problem (might change the
server's notion of the client's identity).  See also:

    
https://mariadb.com/kb/en/securing-connections-for-client-and-server/#requiring-tls

It is also possible that the Postfix MySQL client isn't even attempting
TLS, because you haven't configured any the TLS settings that tell
Postfix you want to use TLS:

       tls_cert_file
              File containing client's X509 certificate.

              This parameter is available with Postfix 2.11 and later.

       tls_key_file
              File containing the private key corresponding to  tls_cert_file.

              This parameter is available with Postfix 2.11 and later.

       tls_CAfile
              File  containing  certificates for all of the X509 Certification
              Authorities the client will recognize.   Takes  precedence  over
              tls_CApath.

              This parameter is available with Postfix 2.11 and later.

       tls_CApath
              Directory  containing  X509 Certification Authority certificates
              in separate individual files.

              This parameter is available with Postfix 2.11 and later.

You might need at least one of tls_CAfile or tls_CApath to be non-empty.

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to